So whenever PrimaryServerAddress answers 192.168.1.1, Acrylic will continue lookup on SecondaryServerAddress, if it still answers 192.168.1.* or 192.168.2.2, then to TertiaryServerAddress until a correct answer is retrieved.

If all answers were in the blacklist, I hope Acrylic could yield SERVERFAIL if there's no Default IP.

And Acrylic can log this fail.

I know under one circumstance things might get somehow complicated, when DNS returns multiple records and one of them unfortunately were included in the blacklist, I hope that IP could be eliminated in the protocol level and cache only the rest of correct answers. If this is hard to implement, simply return SERVERFAIL.

I hope this won't take you guys too much time, and any help or suggestions is appreciated.